Germany rejects terror data-snooping plan

THE EU’s anti-terrorism action plan, drawn up in the wake of the 11 March Madrid train bombings, has suffered a severe setback with the German parliament opposing moves to snoop on all phone, fax and email communications.

A joint committee from the Bundestag and Bundesrat, the two houses in the federal parliament, voted yesterday (5 May) to reject mandatory data retention. Such a measure, envisaged in the action plan approved by EU leaders at their March summit in Brussels, would require telecommunications firms to store details of all calls made and faxes and emails sent, so that they can be accessed by law enforcement agencies.

While most EU capitals are in favour of the idea, Berlin has reservations, fearing it could conflict with the national constitution. German law requires that people who are subject to surveillance should be told that is the case.

The German parliamentary decision jeopardizes a new proposal tabled by France, the UK, Ireland and Sweden.

Their governments are hoping that an accord on EU-wide data protection can be thrashed out later this year.

The four are urging that it should be compulsory for telecoms firms to keep details of the location from which communications are made and their duration for 1-3 years, or longer if a government sees fit.

Their plan states that this retention would be used in the fight against crime in general, rather than just limited to terrorism.

Illegal content

“It is necessary to retain data in order to trace the source of illegal content, such as child pornography and racist and xenophobic material; the source of attacks against information systems; and to identify those involved in using electronic communications networks for the purpose of organized crime and terrorism,” the blueprint adds.

“In investigations, it may not be possible to identify the data required or the individual involved until many months or years after the original communication. It is therefore necessary to retain certain types of data, which are already processed and stored for billing, commercial or any other legitimate purposes, for a certain additional period of time in anticipation that they might be required for a future criminal investigation or judicial proceedings.”

But such far-reaching data retention is opposed by the so-called Article 29 working party, which bands together data- protection officials of EU states. It regards the measure as an onslaught on the right to privacy.

“The best way to have a solution is to having freezing of data if there’s a concrete suspicion against someone and then to have that data very quickly used. Only in the case where there’s a concrete suspicion, should there be the storage of data,” said Schaar, who is also the federal data ombudsman in Germany.

Mandatory data retention is opposed too by both civil liberties and industry.

Statewatch spokesman Ben Hayes said the measure was more intrusive than surveillance schemes drawn up by the US since the 11 September 2001 outrages. “If this proposal was a genuine anti-terrorism measure it would be clearly restricted to terrorist offences,” he said. “What is needed is good intelligence on specific threats, rather than mass surveillance of everyone, generating more data than can usefully be analyzed.”

Other critics include Michael Rotert, president of the European Internet Service Providers Association and chief executive of G10 – a German firm that makes surveillance equipment for use by police forces. He said data retention will add massive costs to internet companies – and could drive many smaller operators out of business.

Worse, he said the vast majority of the data that internet service providers might be forced to store would be practically useless to the authorities six months or so down the line.

Surveillance squads

Instead, Rotert said governments should spend more money on training police or crack surveillance squads to detect criminal activity as and when it happens: “I think they should get more law enforcement people to work quickly rather than digging in the data cemetery for a lot of dead data.”

Data freezing

A key problem, said Rotert, is that users dialing up to their internet service provider are only assigned a temporary code, which can be passed on to subsequent users who log on later. And even if it is possible to track down a person’s temporary code, this does not give any information about the online content or data they sent, received or viewed.

Rotert said ‘data freezing’ would be a “much more effective” solution for law- enforcement agencies.

This entails service providers agreeing with the authorities not to delete data about a specific suspect or group for a set period – provided a judge or court has signed an enforcement order.

However, even this is only to be information kept by the internet firms for billing, rather than about content.

“I know of no mechanisms [that can store all content data] for a period of three or four months,” Rotert warned, adding that several emails alone, together with attachments take up enormous amounts of computer memory.

Yet, if law enforcement agencies do get the manpower to track down would-be terrorists more quickly, the tools for observing their ‘real time’ behaviour on the internet is far more useful, Rotert explained.

They could also ask internet firms to redirect ongoing email ‘conversations’ directly to monitoring stations.